Frankenstein malware: a monster stitched together from trusted code

Dubbed Frankenstein (natch!), the malware is made up of pieces of code from benign host programs, so it doesn’t trigger any red flags as something foreign to the system. Not only that, but by looking like something trusted, it could even become whitelisted, giving it an easy tunnel straight to the heart of an organization’s network.

Also, like Frankenstein’s monster, the malicious creation is expected to learn about its environment as it goes.

“We wanted to build something that learns as it propagates,” said head researcher Kevin Hamlen, associate professor of computer science, speaking to the University of Texas at Dallas News Center. “Frankenstein takes from what is already there and reinvents itself.”

Hamlen and his co-creator, a doctoral student named Vishwath Mohan, hope to use the creature to improve anti-virus approaches and develop effective defenses against such a threat.

“Shelley’s story is an example of a horror that can result from science, and similarly, we intend our creation as a warning that we need better detections for these types of intrusions,” Hamlen said. “Criminals may already know how to create this kind of software, so we examined the science behind the danger this represents, in hopes of creating countermeasures.”

There have already been a range of metamorphic malware and viruses launched out into the wild, which, loosely, cover malicious threats that change their code as they propagate. Moving from machine to machine, these viruses, much like the flu, mutate in order to avoid detection as a known threat. Frankenstein generally falls under this model, but with the big twist of being made up of otherwise benign parts – other metamorphic malware is still a foreign entity in the system.

"Frankenstein forgoes the concept of a metamorphic engine and instead creates mutants by stitching together instructions from non-malicious programs that have been classified as benign by local defenses,” Hamlen said. “This makes it more difficult for feature-based malware detectors to reliably use those byte sequences as a signature to detect the malware."